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Abstract 

Data structures often use an integer variable to keep 
track of the number of elements they store. An invari- 
ant of such data structure is that the value of the integer 
variable is equal to the number of elements stored in the 
data structure. Using a program analysis framework 
that supports abstraction of data structures as sets, 
such constraints can be expressed using the language of 
sets with cardinality constraints. The same language 
can be used to express preconditions that guarantee 
the correct use of the data structure interfaces, and to 
express invariants useful for the analysis of the termi- 
nation behavior of programs that manipulate objects 
stored in data structures. In this paper we show the 
decidability of valid formulas in one such language. 

Specifically, we examine the first-order theory that 
combines 1) Boolean algebras of sets of uninterpreted 
elements and 2) Presburger arithmetic operations. Our 
language allows relating the cardinalities of sets to the 
values of integer variables. We use quantifier elimi- 
nation to show the decidability of the resulting first- 
order theory. We thereby disprove a recent conjecture 
that this theory is undecidable. We describe a basic 
quantifier-elimination algorithm and its more sophisti- 
cated versions. From the analysis of our algorithms we 
obtain an elementary upper bound on the complexity 
of the resulting combination. Furthermore, our algo- 
rithm yields the decidability of a combination of sets 
of uninterpreted elements with any decidable extension 
of Presburger arithmetic. For example, we obtain de- 
cidability of monadic second-order logic of n-successors 
extended with sets of uninterpreted elements and their 
cardinalities, a result which is in contrast to the unde- 
cidability of extensions of monadic-second order logic 
over strings with equicardinality operator on sets of 
strings. 

Version compiled February 1, 2008, 7:46pm. 



1 Introduction 

Program analysis and verification tools can greatly con- 
tribute to software reliability, especially when used 
throughout the software development process. Such 
tools are even more valuable if their behavior is pre- 
dictable, if they can be applied to partial programs, 
and if they allow the developer to communicate the de- 
sign information in the form of specifications. Com- 
bining the basic idea of [21] with decidable logics leads 
to analysis tools that have these desirable properties, 
examples include [34, 25, 4, 41, 54, 29, 30]. These anal- 
yses are precise (because they represent loop-free code 
precisely) and predictable (because the checking of ver- 
ification conditions terminates either with a realizable 
counterexample or with a sound claim that there are no 
counterexamples) . 

The key challenge in this approach to program anal- 
ysis and verification is to identify a logic that captures 
an interesting class of program properties, but is nev- 
ertheless decidable. In [30, 29] we identify the first- 
order theory of Boolean algebras as a useful language 
for languages with dynamically allocated objects: this 
language allows expressing generalized typestate prop- 
erties and reasoning about data structures as dynami- 
cally changing sets of objects. 

The results of this paper are motivated by the fact 
that we often need to reason not only about the data 
structure content, but also about the size of the data 
structure. For example, we may want to express the fact 
that the number of elements stored in a data structure 
is equal to the value of an integer variable that is used 
to cache the data structure size, or we may want to in- 
troduce a decreasing integer measure on the data struc- 
ture to show program termination. These considera- 
tions lead to a natural generalization of the first-order 
theory of Boolean algebra of sets, a generalization that 
allows integer variables in addition to set variables, and 
allows stating relations of the form |^| — k meaning 



that the cardinality of the set A is equal to the value of 
the integer variable k. Once we have integer variables, a 
natural question arises: which relations and operations 
on integers should we allow? It turns out that, using 
only the Boolean algebra operations and the cardinality 
operator, we can already define all operations of Pres- 
burger arithmetic. This leads to the structure BAPA, 
which properly generalizes both Boolean algebras (BA) 
and Presburger arithmetic (PA). Our paper shows that 
the first-order theory of structure BAPA is dccidablc. 

A special case of BAPA was recently shown decidable 
in [57], which allows only quantification over elements 
but not over sets of elements. (Note that quantification 
over sets of elements subsumes quantification over ele- 
ments because singleton sets can represent elements.) 
In fact, [57] identifies the problem of decidability of 
BAPA and conjectures that it is undecidable. Our re- 
sult proves this conjecture false by showing that BAPA 
is decidable. Moreover, we give a translation of BAPA 
sentences into PA sentences and derive an elementary 
upper bound on the worst-case complexity of the valid- 
ity problem for BAPA. 

Contributions and Overview. We can summarize 
our paper as follows. 

1. We motivate the use of sets with cardinality con- 
straints through an example (Section 2) and show 
how to reduce the validity of annotated recursive 
program schemas (which are a form of imperative 
programs) to the validity of logic formulas (Sec- 
tion 3). 

2. We show the decidability of Boolean algebras 
with Presburger arithmetic (BAPA) using quanti- 
fier elimination in Section 5.2. This result immedi- 
ately implies decidability of the verification prob- 
lem for schemas whose specifications are expressed 
in BAPA. 

As a preparation for this result, we review the 
quantifier elimination technique in Section 4.1 and 
show its application to the decidability of Boolean 
algebras (Section 4.2) and Presburger arithmetic 
(Section 11.1). We also explain why adding the 
equicardinality operator to Boolean algebras al- 
lows defining Presburger arithmetic operations on 
equivalence classes of sets (Section 5.1). 

3. We present an algorithm a (Section 5.4) that 
translates BAPA sentences into PA sentences by 
translating set quantifiers into integer quantifiers. 
This is the central result of this paper and shows a 
natural connection between Boolean algebras and 
Presburger arithmetic. 

4. We analyze our algorithm a and show that it yields 
an elementary upper bound on the worst-case 



complexity of the validity problem for BAPA sen- 
tences that is close to the bound on PA sentences 
themselves (Section 6). 

5. We show that PA sentences generated by translat- 
ing pure BA sentences can be checked for validity 
in the space optimal for Boolean algebras (Sec- 
tion 6.2). 

6. We extend our algorithm to infinite sets and 

predicates for distinguishing finite and infinite sets 
(Section 7). 

7. We examine the relationship of our results to 
the monadic second-order logic (MSOL) of strings 
(Section 8). In contrast to the undecidabil- 
ity of MSOL with equicardinality operator (Sec- 
tion 11.2), we identify a combination of MSOL over 
trees with BA that is decidable. This result fol- 
lows from the fact that our algorithm a enables 
adding BA operations to any extension of Pres- 
burger arithmetic, including decidable extensions 
such as MSOL over strings (Section 8.1). 

2 Example 

Figure 1 presents a procedure insert in a language that 
directly manipulates sets. Such languages can either be 
directly executed [14, 45] or can be derived from exe- 
cutable programs using an abstraction process [29, 30]. 
The program in Figure 1 manipulates a global set of 
objects content and an integer field size. The program 
maintains an invariant / that the size of the set content 
is equal to the value of the variable size. The insert 
procedure inserts an element e into the set and corre- 
spondingly updates the integer variable. The requires 
clause (precondition) of the insert procedure is that the 
parameter e is a non-null reference to an object that is 
not stored in the set content. The ensures clause (post- 
condition) of the procedure is that the size variable after 
the insertion is positive. Note that we represent refer- 
ences to objects (such as the procedure parameter e) 
as sets with at most one element. An empty set repre- 
sents a null reference; a singleton set {o} represents a 
reference to object o. The value of a variable after pro- 
cedure execution is indicated by marking the variable 
name with a prime. 

In addition to the explicit requires and ensures 
clauses, the insert procedure maintains an invariant, /, 
which captures the relationship between the size of the 
set content and the integer variable size. The invariant 
/ is implicitly conjoined with the requires and the en- 
sures clause of the procedure. The Hoare triple [18, 21] 
in Figure 2 summarizes the resulting correctness condi- 
tion for the insert procedure. 
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var content : set; 

var size : integer; 

invariant / (size = |content|); 

procedure insert(e : element) maintains / 
requires |e| = 1 A |e n content | = 
ensures size' > 

{ 

content := content U e; 
size := size + 1; 

} 

Figure 1: An Example Procedure 

I |e| = 1 A |e n content! = A size = |content|| 
content := content U e; size := size + 1; 

I size' > OA size' = [content' || 

Figure 2: Hoare Triple for insert Procedure 

Ve. Vcontent. Vcontent'. Vsize. Vsize'. 
(|e| = 1 A |e n content] = A size = |content| A 
content' = content U e A size' = size + 1) 
size' > A size' = |content'| 

Figure 3: Verification Condition for Figure 2 

Figure 3 presents a verification condition corre- 
sponding to the Hoare triple in Figure 2. Note that 
the verification condition contains both set and integer 
variables, contains quantification over these variables, 
and relates the sizes of sets to the values of integer vari- 
ables. Our small example leads to a particularly simple 
formula; in general, formulas that arise in compositional 
analysis of set programs with integer variables may con- 
tain alternations of existential and universal variables 
over both integers and sets. This paper shows the de- 
cidability of such formulas. 

3 First-Order-Logic Program Schemas 

To formalize the verification of programs with speci- 
fications written in first-order logic, we introduce the 
notion of first-order-logic program schemas (or schemas 
for short). The schemas motivate the main result of 
this paper because the decidability of a class of logic 
formulas implies the decidability of the schema verifica- 
tion problem. The abstraction of programs in general- 
purpose languages into verifiable schemas can be used 
to verify partial correctness of programs, and is a partic- 
ular instance of abstract interpretation [12]. Program 
schemas have been studied in the past, with the focus 
primarily on purely functional schemas [2, 8]. 

Figure 4 presents the syntax of schemas. A schema is 



F — first-order formula 

s ::= F|p|s;s|sDs| var x : T. s 

speCp ::= procedure p 
requires pre^ 
ensures post^ 

{Sbody(p)} 

schema ::= (var x : T)* (spec)* 

Figure 4: Syntax of First- Order Logic Program 
Schemas 

the meaning of specifications:: 
speCp = (prep ^ post^) 

rules for reducing statements to formulas:: 
P -> speCp 

Fi ; F2 ^ 3xo.iFi[x' := xo] A F2[x := xo]) 

X - variables in pre-state 

x' - variables in post-state 

Fi □ Fa Fi V F2 

var a; : T. F 3x : T. F 

correctness condition for p:: 
V*(-Fbody(p) ^specp) 

where Sbody(p) -Pbody(p) using rules above 

Figure 5: Rules that Reduce Procedure Body to a For- 
mula 

a collection of annotated recursive procedures that ma- 
nipulate global state given by finitely many variables. A 
recursive program schema is parameterized by a specifi- 
cation language which determines 1) a signature of the 
specification language, which is some variant of first- 
order logic and 2) the interpretation of the language, 
which is some family of multisorted first-order struc- 
tures. The interpretations of types of global and local 
variables correspond to the interpretations of sorts in 
the multisorted language. We use the term "S'-schema" 
for a schema parameterized by a specification language 
S. The language S is used to encode all basic statements 
of the schema and to write requires and ensures clauses. 
The only control structures in a schema are sequential 
composition nondctcrministic choice and pro- 
cedure call (denoted using procedure name). For sim- 
plicity, procedures in a schema have no parameters; pa- 
rameter passing can be simulated using assignments to 
global and local variables. 

Provided that variables in S range over sufficiently 
complex data types (such as integers or terms), schemas 
are a Turing-complete language. Indeed, the first-order 
logic can encode assignment statement {x := t is rep- 
resented by formula x' = t A l\y^^y' = y), as well 
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as assume statements (assume F is just F ^ skip 
where skip is Ay 2/' = nondeterministic choice and 
assume-statements can encode the if statements; recur- 
sion with assume statements can encode while loops. 
As a consequence of Turing-completeness, the verifi- 
cation of schemas without specifications would be un- 
decidable. Because we are assuming that procedures 
are annotated, the correctness of our recursive program 
schema reduces to the validity of a set of formulas in 
the logic, using standard technique of assume-guarantec 
reasoning. The idea of this reduction is to replace each 
call to procedure p with the specification given by re- 
quires and ensures clause of p, as in Figure 5. After this 
replacement, the body of each procedure contains only 
sequential composition, basic statements, and nondeter- 
ministic choice. The remaining rules in Figure 5 then 
reduce the body of a procedure to a single formula.^ We 
check the correctness of the procedure by checking that 
the formula corresponding to the body of the procedure 
implies the specification of the procedure. 

We conclude that if the validity of first-order formu- 
las in the language S is decidable, then the verification 
problem of an S'-schema parameterized by those for- 
mulas is decidable. By considering diff'erent languages 
S whose first-order theory is decidable, we obtain dif- 
ferent verifiable S'-schemas. Example languages whose 
first-order theories are decidable are term algebras and 
their generalizations [26], Boolean algebras of sets [31] 
and Presburger arithmetic [37] . In this paper we estab- 
lish the decidability of the first-order theory BAPA that 
combines the quantified formulas of Boolean algebras 
of sets and Presburger arithmetic. Our result there- 
fore implies the verifiability of a new class of schemas, 
namely BAPA-schemas. 

SchemEis and Boolean programs. For a fixed set 
of predicates, Boolean programs used in predicate ab- 
straction [4, 3, 20] can be seen as a particular form of 
schemas where the first-order variables range over fi- 
nite domains. The assumption about finiteness of the 
domain has important consequences: in the finite do- 
main case the first-order formulas reduce to quantified 
Boolean formulas, the schemas are not Turing-complete 
but reduce to pushdown automata, and procedure spec- 
ifications are not necessary because finite-state proper- 
ties can be checked using context-free reachability. In 
this paper we consider schemas where variables may 
range over infinite domains, yet the verification problem 
in the presence of specifications is decidable. The ad- 
vantage of expressive program schemas is that they are 
closer to the implementation languages, which makes 
the abstraction of programs into schemas potentially 

^Note that our formulas encode transition relation as opposed 
to weakest precondition, so we use V to encode non-deterministic 
choice and V for uninitiahzed variables. 



simpler and more precise. 

Verification using quantifier-free formulas. Note 
that the rules in Figure 5 do not introduce quantifier 
alternations. This means that we obtain verifiable 5- 
schemas even if we restrict S' to be a quantifier-free 
language whose formulas have decidable satisfiability 
problem. The advantage of using languages whose full 
first-order theory is decidable is that this approach al- 
lows specifications of procedures to use quantifiers to ex- 
press parameterization (via universal quantifier) and in- 
formation hiding (via existential quantifier). Moreover, 
the quantifier elimination technique which we use in this 
paper shows how to eliminate quantifiers from a formula 
while preserving its validity. This means that, instead of 
first applying rules in Figure 5 and then applying quan- 
tifier elimination, we may first eliminate all quantifiers 
from specifications, and then apply rules in Figure 5 
yielding a quantifier-free formula. This approach may 
be more efficient because the decidability of quantifier- 
free formulas is easier to establish [56, 35, 42, 55, 49]. 

4 Overview of Quantifier Elimination 

For completeness, this section introduces quantifier 
elimination; quantifier elimination is the central tech- 
nique used in this paper. After reviewing the basic idea 
of quantifier elimination in Section 4.1, we explain how 
to use quantifier elimination to show the decidability of 
Boolean algebras in Section 4.2. We show the decid- 
ability of Presburger arithmetic in Section 11.1. 

4.1 Quantifier Elimination 

According to [22, Page 70, Lemma 2.7.4], to eliminate 
quantifiers from arbitrary formulas, it suffices to elimi- 
nate 3y from formulas of the form 

3y. /\ i;i{x,y) (1) 

0<«n 

where a; is a tuple of variables and ■4'i{x,y) is a literal 
whose all variables are among x,y. The reason why 
eliminating formulas of the form (1) suffices is the fol- 
lowing. Suppose that the formula is in prenex form and 
consider the innermost quantifier of a formula. Let 4> 
be the subformula containing the quantifier along with 
the subformula that is the scope of that quantifier. If (j) 
is of the form Va;. we may replace <p with ^3x.^(f)Q. 
Hence, we may assume that is of the form 3x. 4>o. We 
then transform into disjunctive normal form and use 
the fact 

3x. (02 V 03) <^ (3a;. 02) V (3a;. ^3) (2) 



4 



F ::= A\ FiAFi] FiV F.2\^F\ 3x.F | Vx.F 

A ::= Bi = B2 \ Bi C B2 \ 
\B\=C I IBI >C 

B ::= a; I I 1 I Si U S2 I Bi n S2 I S= 

C ::= I 1 I 2 I ... 

Figure 6: Formulas of Boolean Algebra (BA) 

We conclude that elimination of quantifiers from for- 
mulas of form (1) suffices to eliminate the innermost 
quantifier. By repeatedly eliminating innermost quan- 
tifiers we can eliminate all quantifiers from a formula. 

We may also assume that y occurs in every literal 
tpi , otherwise wc would place the literal outside the ex- 
istential quantifier using the fact 

3y. (AAB) {3y.A)AB 

for y not occurring in B. 

To eliminate variables we often use the following 
identity of theory with equality: 

3x.x = tAct>{x) (j){t) (3) 

The quantifier elimination procedures we present im- 
ply the decidability of the underlying theories, because 
the interpretations of function and relation symbols on 
some domain A turn out to be effectively computable 
functions and relations on A. Therefore, the truth- value 
of every formula without variables is computable. The 
quantifier elimination procedures we present are all ef- 
fective. To determine the truth value of a closed formula 
on a given model, it therefore suffices to apply the 
quantifier elimination procedure to <p, yielding a quan- 
tifier free formula tl), and then evaluate the truth value 
of tp- 

4.2 Quantifier Elimination for BA 

This section presents a quantifier elimination procedure 
for Boolean algebras of finite sets. We use the symbols 
for the set operations as the language of Boolean al- 
gebras, bi n 62, bi U 62, bi, 0, U, correspond to set 
intersection, set union, set complement, empty set, and 
full set, respectively. We write bi C 62 for 61 n 62 = ''1, 
and 61 C 62 for the conjunction &i C 62 A &i 7^ 62- 

For every nonnegative integer constant k we intro- 
duce formulas of the form \b\ > k expressing that the 
set denoted by b has at least k elcinicints. and formulas 
of the form \b\ = k expressing that the set denoted by 
b has exactly k elements. In this section, cardinality 
constraints always relate cardinality of a set to a con- 
stant integer. These properties are first-order definable 
within Boolean algebra itself: 



|6| > = true 

|6| > fc+1 = 3x. X Cb A \x\>k 

\b\=k = |6| > A > k+1 

We call a language which contains terms |6| > fc and 

|6| = k the language of Boolean algebras with finite con- 
stant cardinality constraints. Figure 6 summarizes the 
syntax of this language, which we denote BA. Because 
finite constant cardinality constraints are first-order de- 
finable, the language with finite constant cardinality 
constraints has the same expressive power as the lan- 
guage of Boolean algebras. Removing the restriction 
that integers are constants is, in fact, what leads to the 
generalization from Boolean algebras to Boolean alge- 
bras with Presburger arithmetic in Section 5, and is the 
main topic of this paper. 

Preliminary observations. Every subset relation 

61 C 62 is equivalent to \bi n 62I = 0, and every equal- 
ity 61 = 62 is equivalent to a conjunction of two subset 
relations. It is therefore sufficient to consider the first- 
order formulas whose only atomic formulas are of the 
form |5| = k and |6| > k. Furthermore, because k de- 
notes constants, we can eliminate negative literals as 
follows: 

-,|6|=fc <^ |6| =0 V--- V |6| = fc-1 V |6| > A;-|-l 
-,|6|>fc <^ |6| =0 V--- V |6| = fc-l 

(4) 

Every formula in the language of Boolean algebras can 
therefore be written in prenex normal form where the 
matrix (quantifier-free part) of the formula is a dis- 
junction of conjunctions of atomic formulas of the form 
|6| = k and |6| > fc, with no negative literals. If a term b 
contains at least one operation of arity one or more, we 
may assume that the constants and U do not appear 
in b, because and U can be simplified away. Further- 
more, the expression |0| denotes the integer zero, so all 
terms of form |0| = A: or |0| > A: evaluate to true or false. 
We can therefore simplify every term b so that either 1) 
b contains no occurrences of constants and U, or 2) 
b = U. 

The following lemma is the main idea behind the 
quantifier elimination for both BA in this section and 
BAPA in Section 5. 

Lemma 1 Let bi, . . . ,b„ be finite disjoint sets, and 
h, . . . ,ln,ki, . . . ,kn be natural numbers. Then the fol- 
lowing two statements are equivalent: 

1. There exists a finite set y such that 

n 

f\\bir\y\=kiA\bir\y''\=li (5) 
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2. 

n 

f\\bi\=ki + li (6) 

i=l 

Moreover, the statement continues to hold if for any 
subset of indices i the conjunct |6j Ciy] = ki is replaced 
by IbiClyl > ki or \bir\y'^\ = U is replaced by \biC\y'^\ > li, 
provided that = ki + l^ is replaced by \bi\ > ki + li, 
as indicated in Figure 7. 

Proof. (^) Suppose that there exists a set y sat- 
isfying (5). Because bi Ci y and bi n y" arc disjoint, 
I'^il = \bi n y| + \bi n y^l, so \bi\ = ki + k when the con- 
juncts are \bi r\y\ = ki A \bi n y^\ = li, and \bi\ > ki+k 
if any of the original conjuncts have incquahty. 

(<^=) Suppose that (6) holds. First consider the case 
of equalities. Suppose that \bi\ = ki+k for each of the 
pairwisc disjoint sets &i, . . . For each bi choose a 
subset yi C bi such that \yi\ = ki. Because \bi\ = ki + k, 
we have \bi r\yf\ = k- Having chosen y\,. . . ,yn, let y = 
Ur=i Vi- -^"-"^ * 7^ have biHyj = and biHyj = bi, so 
bi ri y = yi and biCiy'^ = bid yf. By the choice of yi, we 
conclude that y is the desired set for which (5) holds. 
The case of inequalities is analogous: for example, in 
the case |&i n y| > fcj A |6j n y'^\ = k, choose j/j C bi such 
that \yi\ = \bi\- k- ■ 

Quantifier elimination for BA. We next describe a 
quantifier elimination procedure for BA. This procedure 
motivates our algorithm in Section 5. 

We first transform the formula into prenex normal 
form and then repeatedly eliminate the innermost quan- 
tifier. As argued in Section 4.1, it suffices to show that 
we can eliminate an existential quantifier from any ex- 
istcntially quantified conjunction of literals. Consider 
therefore an arbitrary existentially quantified conjunc- 
tion of literals 

l<i<n 

where ipi is of the form |6| = fc or of the form |6| > k. 
We assume that y occurs in every formula -0^. It follows 
that no ipi contains |0| or \U\. Let xi, . . . , Xm, y be the 
set of variables occurring in formulas ijji for 1 < i < n. 

First consider the more general case m > 1. Let 
for ii, . . . , irn e {0, 1}, Sii...i^ = x\^ n ■ ■ ■ Ci x]^ where 
x° = x'^ and x-^ = x. The terms in the set 

P = {sii...i„ I ii,...,im G {0,1}} 

form a partition. Moreover, every Boolean algebra term 
whose variables are among Xi can be written as a dis- 
joint union of some elements of the partition P. Any 
Boolean algebra term containing y can be written, for 
some p,q>Q as. 



original formula 


cillllilidLcU. iUl 111 


dy. . 


• \o\\y\>Kf\\b\}y\ 


^ t ... 


\b\>k + l 


3y. . 


. |&nj/| = A: A |6nj/''| 


>l ... 


\b\>k + l 


3y. . 


• |6n2/| > A; A |6n?/'=| 


= 1 ... 


\b\>k + l 


3y. . 


. \bny\ = kA\bny''\ 


= 1 ... 


|6| = fc-l-Z 



Figure 7: Rules for Eliminating Quantifiers from 
Boolean Algebra Expressions 

(til n J/) u • • • u (wp n y)u 
(ti n u • • • u {tg n y") 

where ui,...,Up G P are pairwisc distinct elements 
from the partition and ti, . . . ,tq S P are pairwise dis- 
tinct elements from the partition. Because 

|(mi ny)u ■ ■ ■ U {up ny)u {ti ny") U ■ ■ ■ U {tg n y")] = 

\uiny\ + --- + \upny\ + \tiny''\ + --- + \t, n y"] 

a formula of the form |&| = fc can be written as 

\f (|mi n y| = fci A • • • a |wp n y| = A;p A 

k„...,k,M,-.i, \tiny^\=hA---A\t,ny^\ = lp) 

where the disjunction ranges over nonnegative integers 
ki, . . . ,kp,li, . . . ,lq > that satisfy 

fci H \-kp + li + h Z, = fc (7) 

From (4) it follows that we can perform a similar trans- 
formation for formulas of form \b\ > k (by represent- 
ing |6| > k as boolean combination of |6| = k formu- 
las, applying (7), and traslating the result back into 
6 1 > k formulas). After performing this transforma- 
tion, we bring the formula into disjunctive normal form 
and continue eliminating the existential quantifier sep- 
arately for each disjunct, as argued in Section 4.1. We 
may therefore assume that all conjuncts ipi are of one 
of the forms: |s fl ?/| = k, \s fl y'^\ = k, \s Ci y\ > k, and 
\s riy'^\> k where s G P. 

If there are two conjimcts both of which contain |sn 
y\ for the same s, then either they are contradictory or 
one implies the other. We therefore assume that for any 
s G P, there is at most one conjunct ipi containing |sny|. 
For analogous reasons we assume that for every s G P 
there is at most one conjunct tpi containing \s fl y"]. 
The result of eliminating the variable y is then given 
in Figure 7. These rules are applied for all distinct 
partitions s for which \sriy\ or |snt/'^| occurs. The case 
when one of the literals containing |sn?/| does not occur 
is covered by the case |snj/|>fcforfc = 0, similarly for 
a literal containing |s fl y'^l. 
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It remains to consider the case m = 0. Then y is 
the only variable occurring in conjuncts ij^i. Every car- 
dinality expression t containing only y reduces to one of 

or If there arc multiple literals containing \y\, 

they are either contradictory or one implies the others. 
We may therefore assume there is at most one literal 
containing \y\ and at most one literal containing \y'^\. 
We eliminate quantifier by applying rules in Figure 7 
putting formally b = U, yielding quantifier- free cardi- 
nality constraint of the form \U\ = fc or of the form 
\U\ > k, which does not contain the variable y. 

This completes the description of quantifier elimina- 
tion from an cxistentially quantified conjunction. By 
repeating this process for all quantifiers we arrive at a 
quantifier-free formula ip. Hence, we have the following 
fact. 

Fact 1 For every first-order formula (f> in the language 
of Boolean algebras with finite cardinality constraints 
there exists a quantifier- free formula ip such that y'j is 
a disjunction of conjunctions of literals of form \b\ > 
k and \b\ = k (for k denoting constant non-nega,tive 
integers) where b are terms of Boolean algebra, the free 
variables of ip are a subset of the free variables of (j), and 
ij) is equivalent to <j) on all Boolean algebras of finite sets. 

5 First-Order Theory of BAPA is Decidable 

This section presents the main result of this paper: the 
first-order theory of Boolean algebras with Presburger 
arithmetic (BAPA) is decidable. We first motivate the 
operations of the structure BAPA in Section 5.1. We 
prove the decidability of BAPA in Section 5.2 using a 
quantifier elimination algorithm that interleaves quanti- 
fier elimination for the Boolean algebra part with quan- 
tifier elimination for the Presburger arithmetic part. In 
Section 5.4 we present another algorithm (a) for decid- 
ing BAPA, based on the replacement of set quantifiers 
with integer quantifiers. The analysis of the algorithm 
a is the subject of Section 6, which derives a worst-case 
complexity bound on the validity problem for BAPA. 

In this section, we interpret Boolean algebras over 
the family of all powersets of finite sets. Our quanti- 
fier elimination is uniform with respect to the size of 
the universal set. Section 7 extends the result to allow 
infinite universal sets and reasoning about finiteness of 
sets. 

5.1 From Equicardinality to PA 

To motivate the extension of Boolean algebra with all 
operations of Presburger arithmetic, we derive these op- 
erations from a single construct: the equicardinality of 
sets. 



F ::= ^ I _Fi A F2 I Fi V ^2 I ^-F I 
3x.F I Vx.F I 3k. F \ Vfc.F 

A ::= Bi = B2 \ Bi C B2 \ 

Ti = Ta I Ti < Ta I CdvdT 
B ::= a; I I 1 I Bi U B2 i Bi n B2 I S= 
T ::= k\C \ MAXC\T1-\-T2\T1-T2\C -T \ \B\ 
C ::= ...-2 I -1 I I 1 I 2... 

Figure 8: Formulas of Boolean Algebras with Pres- 
burger Arithmetic (BAPA) 

Define the equicardinality relation eqcard(fe, 6') to 
hold iff |6| = 1 6' I, and consider BA extended with 
relation eqcard(6, 6'). Define the ternary relation 
plus(6, 61, 62) -^^^ (16| — \bi\ -\- I&2I) by the formula 

3x1. 3x2. xi n X2 = A 6 = xi U X2 A 
eqcard(xi, 61) A eqcard(x2, 62) 

The relation plus(6, 61, 62) allows us to express addition 
using arbitrary sets as representatives for natural num- 
bers. Moreover, we can represent integers as equiv- 
alence classes of pairs of natural numbers under the 
equivalence relation (x, y) ~ {u, v) <=> x-\-v = u-\-y. 
This construction allows us to express the unary pred- 
icate of being non-negative. The quantification over 
pairs of sets represents quantification over integers, and 
quantification over integers with the addition operation 
and the predicate "being non-negative" can express all 
operations in Figure 11. 

This leads to our formulation of the language BAPA 
in Figure 8, which contains both the sets and the in- 
tegers themselves. Note the language has two kinds 
of quantifiers: quantifiers over integers and quantifiers 
over sets; we distinguish between these two kinds by 
denoting integer variables with symbols such as k,l and 
set variables with symbols such as x,y. We use the 
shorthand 3+fc.F(fc) to denote 3k.k > A F{k) and, 
similarly W+k.F{k) to denote Vfc.fc > ^ F{k). Note 
that the language in Figure 8 subsumes the language in 
Figure 11. Furthermore, the language in Figure 8 con- 
tains the formulas of the form \b\ = k whose Boolean 
combinations can encode all atomic formulas in Fig- 
ure 6, as in Section 4.2. This implies that the language 
in Figure 8 properly generalizes both the language in 
Figure 11 and the language in Figure 6. Finally, we 
note that the MAXC constant denotes the size of the fi- 
nite universe, so we require MAXC = |W| (see Section 7 
for infinite universe case). 
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5.2 Basic Algorithm 

Wc first present a simple quantifier-elimination algo- 
rithm for BAPA. As explained in Section 4.1, it suffices 
to eliminate an existential quantifier from a conjunc- 
tion F of literals of Figure 8. Wc need to show how to 
eliminate an integer existential quantifier, and how to 
eliminate a set existential quantifier. By Section 4.2, as- 
sume that all occurrences of set expressions b arc within 
expressions of the form Introduce an integer vari- 
able ki for each such expression and write F in the 
form 

p 

F = 3+ku...,kp. /\ =fc AFi(fei,...,fcp) (8) 

i=l 

where Fi is a PA formula. 

To eliminate an existential integer quantifier 3k from 

the formula 3k. F, observe that 3k.F{k) is equivalent to 

p 

. ..,kp. /\ \bi\ =kiA 3fc.Fi(fe,fei, ...,kp) 

i = l 

because k does not occur in the first part of the for- 
mula. Using quantifier elimination for Presburger arith- 
metic, eliminate 3k from 3k. Fi yielding a quantifier-free 
formula ^2(^1, ... , km)- The formula 3k.F{k) is then 
equivalent to i^2(|&i|, • • • , l^'ml) and the quantifier has 
been eliminated. 

To eliminate an existential set quantifier 3y from 
the formula 3y.F, proceed as follows. Start again 
from (8), and split each \bi\ into sums of partitions 
as in Section 4.2. Specifically, let xi,...,Xn where 
y G {xi, . . . , Xn} be all free set variables in bi,. . . ,bp, 
and let si, . . . , Sm for m = 2" be all set expressions of 
the form Hj^i "^i) • • • ) Q;„ G {0, 1}. Every ex- 

pression of the form |6| is equal to an expression of the 
form X]J=i I ^'^^ some zi, . . . , iq. Introduce an inte- 
ger variable li for each |sj| where 1 < i < m, and write 
F in the form 

. . . , Im. . . . , kp. /qs^ 

AT=i\^i\=li A AUti = k, A Fi{k^,...,kp) ^''> 

where each ti is of the form X^j^i hj for some q and 
some ii,...,iq specific to U. Note that only the part 
A^i kil = contains set variables, so 3y.F is equiva- 
lent to 

3^/1, . . . , /m- 3^/i;i, . . . , kp. 

(10) 

Next, group each Si of the form \.s D y\ with the corre- 
sponding \s n y'^l and apply Lemma 1 to replace each 
pair |s n y| = A |s fl y^\ = If, with \s\ = la + h- As a 
result, 3y. /\^^^ \si\ = U is replaced by a quantifier-free 

formula of the form /\^^ |s-| = + hi- The entire 
resulting formula is 



NTJi I«<I = 'a* + K A ALi ti = ki A Fi{ki,..., kp) 

and contains no set quantifiers, but contains existential 
integer quantifiers. We have already seen how to elim- 
inate existential integer quantifiers; by repeating the 
elimination for each of /i, . . . , /ci, . . . , fcp, wo obtain 
a quantifier-frec formula. (We can trivially eliminate 
each ki by replacing it with ti, but it remains to elimi- 
nate the exponentially many variables 

This completes the description of the basic quanti- 
fier elimination algorithm. This quantifier-elimination 
algorithm is a decision procedure for formulas in Fig- 
ure 8. We have therefore established the decidability of 
the language BAPA that combines Boolean algebras and 
Presburger arithmetic, solving the question left open in 
[57] for the finite universe case. 

Theorem 2 The validity of BAPA sentences over the 
family of all models with finite universe of uninterpreted 
elements is decidable. 

Comparison with Quantifier Elimination for BA. 

Note the difference in the use of Lemma 1 in the quan- 
tifier elimination for BA in Section 4.2 compared to 
the use of Lemma 1 in this section: Section 4.2 uses 
the statement of the lemma when the cardinalities of 
sets are known constants, whereas this section uses the 
statement of the lemma in a more general way, creating 
the appropriate symbolic sum expression for the c;ar- 
dinality of the resulting sets. On the other hand, the 
algorithm in this section does not need to consider the 
case of inequalities for cardinality constraints, because 
the handling of negations of cardinality constraints is 
hidden in the subsequent quantifier elimination of in- 
teger variables. This simplification indicates that the 
first-order theories BA and PA naturally fit together; 
the algorithm in Section 5.4 further supports this im- 
pression. 

5.3 Reducing the Number of Introduced Inte- 
ger Vciriables 

This section presents two observations that may reduce 
the number of integer variables introduced in the elim- 
ination of set quantifier in Section 5.2. The algorithm 
in Section 5.2 introduces 2" integer variables where n 
is the number of set variables in the formula F of (8). 

First, we observe that it suffices to eliminate the 
quantifier 3y from the conjunction of the conjuncts 
\bi\ = ki where y occurs in bi. Let ai{y), . . . ,aq{y) 
be those terms among bi,. . . ,bp that contain y, and 
let xi, . . . , Xni be the free variables in ai{y), . . . , aq{y). 
Then it suffices to introduce 2"^ integer variables 
corresponding to the the partitions with respect to 
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xi, . . . ,Xni, which may be an improvement because 
rii < n. 

The second observation is useful if the number q of 

terms ai{y), . . . , aq{y) satisfies the property 2q+l < rii, 
i.e. there is a large number of variables, but a small 
number of terms containing them. In this case, consider 
all Boolean combinations ti, . . . ,tu of the 2q expressions 
ai(0), ai(W), 02(0), a2(W), • • • ,ag(0), cLqipl)- For each a,, 
we have 

ai{v) = (y n Oi(0)) U {y" n ai{U)) 

Each ai(0) and each aiiU) is a disjoint union of the 
Boolean combinations of fi,...,tu, so each (lii^ij) is a 
disjoint union of Boolean combinations of y and the 
expressions ti, . . . ,tu that do not contain y. It therefore 
suffices to introduce 2^''+^ integer variables denoting all 
terms of the form y Hti and y'^ Citi, as opposed to 2"^ 
integer variables. 

5.4 Reduction to Quantified PA Sentences 

This section presents an algorithm, denoted a, which 
reduces a BAPA sentence to an equivalent PA sentence 
with the same number of quantifier alternations and an 
exponential increase in the total size of the formula. 
Although we have already established the decidability 
of BAPA in Section 5.2, the algorithm a of this section 
is important for several reasons. 

1. Given the space and time boimds for Presburger 
arithmetic sentences [40], the algorithm a yields 
reasonable space and time bounds for BAPA sen- 
tences. 

2. Unlike the algorithm in Section 5.2, the algorithm 
a does not perform any elimination of integer vari- 
ables, but instead produces an equivalent quanti- 
fied PA formula. The resulting PA formula can be 
decided using any decision procedure for PA, in- 
cluding the decision procedures based on automata 
and mo del- checking [23, 19]. 

3. The algorithm a can eliminate set quantifiers from 
any extension of Presburger arithmetic. We thus 
obtain a technique for adding a particular form 
of set reasoning to every extension of Presburger 
arithmetic, and the technique preserves the decid- 
ability of the extension. An example extension 
where our construction applies is second-order lin- 
ear arithmetic i.e. monadic second-order logic of 
one successors, as well monadic second order logic 
of n-successors, as we note in Section 8. 

We next describe the algorithm a for transforming a 
BAPA sentence Fq into a PA sentence. The algorithm a 
is similar to the algorithm in Section 5.2, but, instead of 



eliminating the integer quantifiers, it accumulates them 
in a PA formula. 

As the first step of the algorithm, transform Fq into 
prenex form 

QpVp — Qivi. F(vi,...,Vp) (11) 

where F is quantifier-free, and each quantifier QiVi is of 
one the forms 3k, Vfc, 3y, Vj/ where k denotes an integer 
variable and y denotes a set variable. As in Section 5.2, 
separate F into the set part and the purely Presburger 
arithmetic part by expressing all set relations in terms 
of \b\ terms and by naming each |&|, obtaining a formula 
of the form (8). Next, split all sets into disjoint union 
of cubes si,. . . ,Sm for m = 2" where n is the num- 
ber of all set variables, obtaining a formula of the form 

QpVp QiVi.F where F is of the form (9). Letting 

Gi = Fi{ti, . . . , tp), we obtain a formula of the form 

QpVp — Qivi. , , 

where Gi is a PA formula and m = 2". Formula (12) 
is the starting point of the main phase of algorithm a. 

The main phase of the algorithm successively eliminates 
quantifiers QiVi, . . . , QpVp while maintaining a formula 
of the form 

QpVp . . . QrVv «\ 

3+«i Al=l\Si\=li A Gr ^ ' 

where Gr is a PA formula, r grows from 1 to p + 1 , and 
5 = 2* where e for < e < n is the number of set 
variables among Vp, . . . , Vr- The list si, . . . , Sg is the list 
of all 2^ partitions formed from the set variables among 

Vp, , . , ^Vf. 

We next show how to eliminate the innermost quan- 
tifier QrVr from the formula (13). During this process, 
the algorithm replaces the formula Gr with a formula 
Gr+i which has more integer quantifiers. If Vr is an 
integer variable then the number of sets q remains the 
same, and if Vr is a set variable, then q reduces from 2^ 
to 2^~^. We next consider each of the four possibilities 
3k, V/c, 3y, Vy for the quantifier QrVr- 

Consider first the case 3k. Because k does not occur 
in — h, simply move the existential quantifier 

to Gr and let Gr+i = 3k. Gr, which completes the step. 

For universal quantifiers, observe that 
g 

^{3+h...lg. /\ \Si\=li A Gr) 
i=l 

is equivalent to 

1 

3+ll...lg. /\ \Si\=li A ^Gr 
i=l 
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because the existential quantifier is used as a let- 
binding, so we may first substitute all values k into 
Gr, then perform the negation, and then extract back 
the definitions of all values h. Given that the universal 
quantifier Vfc can be represented as a sequence of unary 
operators -i3k^, from the elimination of 3k we imme- 
diately obtain the elimination of Vfc; it turns out that 
it suffices to let Gr+i =\/k.Gr- 

We next show how to eliminate an existential set 
quantifier 3y from 

9 

3y.3+li...l^. /\\si\ = li A Gr (14) 
which is equivalent to 

3+^1.../,. {3y./\ \si\=li) A Gr (15) 

Without loss of generality assume that the set variables 

,si, ■ ■ ■ , Sq are numbered such that S2i-i = n y'^ and 
S2i = s^ny for some cube s'^. Then apply again Lemma 1 
and replace each pair of conjuncts 

|s» niy"| = h^-l A |s- ny| = l■2^ (16) 
with the conjunct |s^| = l2i-i + l2i, yielding formula 

3 + h...lq. /\\Si\=l2,-l+l2^ A Gr (17) 

for q' = 2^~^. Finally, to obtain a formula of the 
form (13) for r + 1, introduce fresh variables l'^ con- 
strained by I'i = hi-i + hi, rewrite (17) as 

q' i' 

3+l[...l'^,. /\\s'i\=l'iA{3ll...lg. /\li=l2i-l+l2i/\Gr) 
i=l i=l 

and let 

q' 

Gr+l = 3'^h . . . Iq. ^ I'i = hi-l + hi A Gr (18) 
i=l 

This completes the description of elimination of an ex- 
istential set quantifier 3y. 

To eliminate a set quantifier Vj/, proceed analo- 
gously: introduce fresh variables l'^ = hi-i + hi and 

let Gr+l = V+ii ...Ig. (Ati I'i = hi-l + hi) ^ Gr, 

which can be verified by expressing Vy as -'3y-i. 

After eliminating all quantifiers as described above, 
we obtain a formula of the form 3+/. \U\ = I A Gp+i{l). 
We define the result of the algorithm, denoted a{Fo), 
to be the PA sentence Gp+i(MAXC). 

This completes the description of the; algorithm a. 
Given that the validity of PA sentences is decidable, the 
algorithm a is a decision procedure for BAPA sentences. 



V+Zi.V+^o- MAXC = h+lo^ 
V+iii.V+ioi.V+ho-V+^oo- 
'i = hi + loi Alo = ho + loo ^ 
V+/111. V+ioii- V+iioi- V+iooi- 
V+/iio. V+ioio- V+iioo- V+iooo- 
hi = hii + Ion A loi = hoi + looi A 
'lo = '110 + '010 A loo = hoo + 'ooo => 
\f size .\/ size' . 
(hii + Ion + '101 + '001 = 1 A 
hii + hni = A 
'ill + 'oil + 'no + 'oio = size A 
hoo = A 

'on + '001 + '010 = A 
size' = size + 1) 

(0 < size' A 'ill -I- hoi -I- '110 -I- '100 = size') 

Figure 9: The translation of the BAPA sentence from 
Figure 3 into a PA sentence 

Theorem 3 The algorithm a described above maps 
each BAPA-sentence Fq into an equivalent PA-sentence 
a{Fo). 

Formalization of the algorithm a. To formalize 
the algorithm a, we have implemented it in the func- 
tional programming language O'Caml (Section 11.3).^ 
As an illustration, when we run the implementation on 
the BAPA formula in Figure 3 which represents a verifi- 
cation condition, we immediately obtain the PA formula 
in Figure 9. Note that the structure of the resulting for- 
mula mimics the structure of the original formula: ev- 
ery set quantifier is replaced by the corresponding block 
of quantifiers over non-negative integers constrained to 
partition the previously introduced integer variables. 
Figure 10 presents the correspondence between the set 
variables of the BAPA formula and the integer variables 
of the translated PA formula. Note that the relation- 
ship content' = content U e translates into the conjunc- 
tion of the constraints | content' n (content U e)''| = 
A [(content U e) fl content''^ | = 0, which reduces to the 
conjunction Zioo = A /on + hoi + hio = using the 
translation of set expressions into the disjoint union of 
partitions, and the correspondence in Figure 10. 

The subsequent sections explore further conse- 
quences of the existence of the algorithm q:. inc;luding 
an upper bound on the computational complexity of 
BAPA sentences and the combination of BA with proper 
extensions of PA. 

6 Complexity 

In this section we analyze the algorithm a from Sec- 
tion 5.4 and obtain space and time bounds on BAPA 
from the corresponding space and time bounds for PA. 

^The implementation is available from 
http: //www. cag. Ics .mit . edu/"vkuncak/artif acts/bapa/. 
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general relationship: 

lii,....A,,= Iset^i n set*=^i n . . . n set^ I 
g = S— (fc— 1), S — number of set variables 

in this example: 

seti = content' 

set2 = content 

sets = e 
'ooo = |content"^ n contenf^ n e'^l 
'ooi = |content"^ n content"^ n e| 
'oio = Icontent"^ n content n e"^] 
'oil = |content"^ n content n e| 
'lOO = Icontent' n contenf^ n e'^l 
'loi = Icontent' n content'^ n e| 
'no = Icontent' n content n e'^l 
'ill = Icontent' n content n e| 

Figure 10: The Correspondence between Integer Vari- 
ables in Figure 9 and Set Variables in Figure 3 

We then show that the new decision procedure meets 
the optimal worst-case bounds for Boolean algebras if 
applied to purely Boolean algebra formulas. Moreover, 
by construction, our procedure reduces to the proce- 
dure for Presburger arithmetic formulas if there are no 
set quantifiers. In summary, our decision procedure is 
optimal for BA, does not impose any overhead for pure 
PA formulas, and the complexity of the general BAPA 
validity is not much worse than the complexity of PA 
itself. 

6.1 An Elementary Upper Bound 

We next show that the algorithm in Section 5.4 trans- 
forms a BAPA sentence Fq into a PA sentence whose 
size is at most one exponential larger and which has 
the same number of quantifier alternations. 

If is a formula in prenex form, let size(i^) de- 
note the size of F, and let alts(F) denote the num- 
ber of quantifier alternations in F. Define the iterated 
exponentiation function exp^(a;) by expQ(a;) = x and 
expj._,_^ (x) = 2^P'=(^^. We have the following lemma. 

Lemma 4 For the algorithm a from Section 5.4 there 
is a constant c > such that 

size(a(Fo)) < 2'="'"(-^"' 

alts(a(Fo)) = alts(Fo) 

Moreover, the algorithm a runs in 2^^^'^^^^°^'> space. 

Proof. To gain some intuition on the size of a{Fo) 
compared to the size of Fq, compare first the formula 
in Figure 9 with the original formula in Figure 3. Let 
n denote the size of the initial formula Fq and let S be 
the number of set variables. Note that the following op- 
erations are polynomially bounded in time and space: 
1) transforming a formula into prenex form, 2) trans- 
forming relations bi = &2 and bi C 62 into the form 



|6| = 0. Introducing set variables for each partition 
and replacing each |6| with a sum of integer variables 
yields formula Gi whose size is bounded by 0{n2^ S) 
(the last S factor is because representing a variable from 
the set of K variables requires space logK). The sub- 
sequent transformations introduce the existing integer 
quantifiers, whose size is bounded by n, and introduce 
additionally 2^~'^ -t-... +2-1-1 = 2'^-l new integer 
variables along with the equations that define them. 
Note that the defining equations always have the form 
= ^2i-i+^2i and have size bounded by S. We therefore 
conclude that the size of a{Fo) is 0{nS{2^ + 2^)) and 
therefore 0{nS2^), which is certainly 0(2™) for any 
c > 1. Moreover, note that we have obtained a more 
precise bound 0{nS2^) indicating that the exponential 
explosion is caused only by set variables. Finally, the 
fact that the number of quantifier alternations is the 
same in Fq and q:(Fo) is immediate because the algo- 
rithm replaces one set quantifier with a block of corre- 
sponding integer quantifiers. ■ 

We next consider the worst-case space bound on 
BAPA. Recall first the following bound on space com- 
plexity for PA. 

Fact 2 [16, Chapter 3] The validity of a PA sentence 
of length n can be decided in space exp2(0(n)). 

From Lemma 4 and Fact 2 we conclude that the validity 
of BAPA formulas can be decided in space exp^{0{n)). 
It turns out, however, that we obtain better bounds on 
BAPA validity by analyzing the number of quantifier 
alternations in BA and BAPA formulas. 

Fact 3 [40] The validity of a PA sentence of length n 
and the number of quantifier alternations m can be de- 
cided in space 2"°''"* . 

From Lemma 4 and Fact 3 wc obtain our space upper 
bound, which implies the upper bound on deterministic 
time. 

Theorem 5 The validity of a BAPA sentence of length 

n and the number of quantifier alternaiions m can be 
decided in space exp2{0{mn)), and, consequently, in de- 
terministic time exp3(0(mn)). 

If we approximate quantifier alternations by formula 
size, we concJudc; that BAPA validity can be decided in 
space exp2(0(n^)) compared to exp2(0(n)) bound for 
Presburger arithmetic from Fact 2. Therefore, despite 
the exponential explosion in the size of the formula in 
the algorithm a, thanks to the same number of quan- 
tifier alternations, our bound is not very far from the 
bound for Presburger arithmetic. 
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6.2 Boolean Algebras as a Special Case 

Wc next analyze the result of applying the algorithm 
a to a pure BA sentence Fq. By a pure BA sentence 
we mean a BA sentence without cardinality constraints, 
containing only the standard operations H, U, and the 
relations C,=. At first, it might seem that the al- 
gorithm a is not a reasonable approach to deciding 
pure BA formulas given that the best upper bounds for 
PA are worse than the corresponding bounds for BA. 
However, we identify a special form of PA sentences 
PAba = {ck(Fo) I Fa is in pure BA} and show that such 
sentences can be decided in 2'^^") space, which is op- 
timal for Boolean algebras [24]. Our analysis shows 
that using binary representations of integers that cor- 
respond to the sizes of sets achieves a similar effect to 
representing these sets as bit vectors, although the two 
representations are not identical. 

Let S be the number of set variables in the initial for- 
mula Fq (recall that set variables are the only variables 
in Fq). Let li, . . . ,lq be the set of free variables of the 
formula Gr{li, ■ ■ ■ , Iq); then g = 2*^ for e = S+l — r. Let 
wi, . . . jWqhe integers specifying the values oili, . . . ,lq. 
We then have the following lemma. 

Lemma 6 For each r where 1 < r < S the truth 
value of Gr{wi, . . . ,Wq) is equal to the the truth value 
of Gr{w\, . . . ,Wq) where Wi = min(wj, 2''"^). 

Proof. We prove the claim by induction. For r = 1, 
observe that the translation of a quantifier-free part of 
the pure BA formula yields a PA formula Fi whose all 
atomic formulas are of the form + . . . + = 0, 
which are eqiiivalent to Vj=i ^ij = 0- Therefore, the 
truth-value of Fi depends only on whether the integer 
variables are zero or non-zero, which means that we may 
restrict the variables to interval [0, 1]. 

For the inductive step, consider the elimination of a 
set variable, and assume that the property holds for Gr 
and for all q tuples of non-negative integers wi, . . . ,Wq. 
Let q' = q/2 and w'l, . . . , w'q, be a tuple of non-negative 
integers. We show that Gr+i{w[, . . . , w'q,) is equivalent 

to Gr+l{w[,...,w'q,). 

Suppose first that Gr+iiw'i, . . . ,w'^,) holds. Then 
for each w'^ there are W2i^i and W2i such that = 
U2i-i + U2i and Gr{ui, . . . ,Uq). We define witnesses 
wi, . . . ,Wq as follows. If < 2^, then let W2i-i = W2i-i 
and W2i = U2i- If w'^ > 2^ then either U2i-i > 
T-^ or U2i > 2'-i (or both). If U2i-i > 2''-\ 
then let W2i-i = w'^ — U2i and W2i = U2i- Note 
that Gr(. .. ,w;2i-i, ■• ■) <^=^ G',.(. . . ,M2i-i, . . .) <;=^ 
Gr{- ■ ■ , 2''"^, . . .) by induction hypothesis because both 
U2i-i > 2^~^ and W2i-i > 2'""^. For Wi,...,Wq cho- 
sen as above we therefore have w'^ = W2i-i + W2i and 
Gr{wi, . . . , Wq), which by definition of G^+i means that 
Gr+i{w[,. ■■,Wg,) holds. 



Conversely, suppose that Gr+i{w[, . . . ,w'^,) holds. 
Then there are wi, . . . ,Wq such that Gr{wi, . . . ,Wq) and 
w'^ = W2i-i + W2i- If W2i-i < 2'""^ and W2i < W2i 
then < 2'' so let ?i2i-i — W2i-i and U2i = W2i- If 
W2i-i > 2''"^ and W2i > W2i then let U2i-i = 2''"^ and 
U2i = 2'--!. If W2i-i > 2'--! and W2i < 2"-^ then 
let U2i-\ = 2^ — W2i and U2i = W2i- By induction 
hypothesis we have Gr{ui, . . . , Uq) = Gr{wi, . . . , Wg). 
Furthermore, U2i-i+U2i = w[, so Gr+i{w'i,- ■ ■ , w'q,) by 
definition of Gr+i- ■ 

Now consider a formula Fq of size n with S free vari- 
ables. Then a{Fo) = Gs+i- By Lemma 4, size(a(i^o)) 
is 0{nS2^). By Lemma 6, it suffices for the outer- 
most variable k to range over the integer interval [0, 2"^], 
and the range of subsequent variables is even smaller. 
Therefore, the value of each of the 2'^+^ — 1 variables can 
be represented in 0{S) space, which is the same order 
of space used to represent the names of variables them- 
selves. This means that evaluating the formula a{Fo) 
can be done in the same space 0{nS2^) as the size of 
the formula. Representing the valuation assigning val- 
ues to variables can be done in 0(52'^) space, so the 
truth value of the formula can be evaluated in 0{nS2^) 
space, which is certainly 2'^^"^. We obtain the following 
theorem. 

Theorem 7 // Fq is a pure BA formula with S vari- 
ables and of size n, then the truth value of a{Bo) can 
be computed in 0{nS2^) and therefore 2*^^"^ space. 

7 Allowing Infinite Sets 

We next sketch the extension of our algorithm a (Sec- 
tion 5.4) to the case when the universe of the structure 
may be infinite, and the underlying language has the 
ability to distinguish between finite and infinite sets. 
Infinite sets are useful in program analysis for modelling 
pools of objects such as those arising in dynamic object 
allocation. 

We generalize the language of BAPA and the inter- 
pretation of BAPA operations as follows. 

1. Introduce unary predicate fin(6) which is true iff 
6 is a finite set. The predicate fin(6) allows us to 
generalize our algorithm to the case of infinite uni- 
verse, and additionally gives the expressive power 
to distinguish between finite and infinite sets. For 
example, using fin(6) we can express bounded quan- 
tification over finite or over infinite sets. 

2. Define |6| to be the integer zero if b is infinite, and 
the cardinality of 6 if 6 is finite. 

3. Introduce prepositional variables denoted by let- 
ters such as p, q, and quantification over preposi- 
tional variables. Extend also the underlying PA 
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formulas with prepositional variables, which is ac- 
ceptable because a variable p can be treated as a 
shorthand for an integer from {0, 1} if each use of 
p as an atomic formula is interpreted as the atomic 
formula (p = 1). Our extended algorithm uses the 
equivalences fin (6) to represent the finiteness of 
sets just as it uses the equations |6| = Z to represent 
the cardinalities of finite sets. 

4. Introduce a propositional constant FIND such that 
fin(ZY) FIND. This propositional constant en- 
ables equivalence preserving quantifier elimination 
over the set of models that includes both models 
with finite universe lA and the models with infinite 
universe U. 

Denote the resulting extended language BAPA°°. 

The following lemma generalizes Lemma 1 for the 
case of equalities. 

Lemma 8 Let 6i,...,6„ he disjoint sets, 
h, . . . jlmki, . . . ,kn be natural numbers, and 
Pi, . . . ,Pn,qi, . ■ . ,qn be propositional values. Then 
the following two statements are equivalent: 

1. There exists a set y such that 

n 

/\ l&i ny| = fci A (fin(bi ny)^Pi) A (19) 
i=i jfeinj/'^l =/iA(fin(6inj/'=)<^gi) 

2. 

n 

/\ (pi Aqi^ \bi\ =ki + h) A (20) 
i=i (fin(6i) <^(pi A Qi)) 

Proof. {=>) Suppose that there exists a set y sat- 
isfying (19). From hi = {bi n y) U [bi n y'^), we have 
fin(6i) 44>(pi A qi). Furthermore, if pi and qi hold, 
then both bi Ci y and bi n y'^ are finite so the relation 
\bi\ = \biny\ + \b,r\y''\ holds. 

(<J=) Suppose that (20) holds. For each i wc choose a 
subset yi^bi, depending on the truth values of Pi and 
qi, as follows. 

1. If both Pi and qi are true, then fin(6j) holds, so 
bi is finite. Choose j/j as any subset of bi with 
ki elements, which is possible since 6, has /c, + Zj 
elements. 

2. If Pi does not hold, but qi holds, then fin(6i) does 

not hold, so bi is infinite. Choose y[ as any finite 
set with li elements and let yi = bi\ y'i be the 
corresponding cofinite set. 

3. Analogously, if p^ holds, but qi does not hold, then 
bi is infinite; choose yi as any finite subset of bi 
with ki elements. 



4. If Pi and qi are both false, then bi is also infinite; 
every infinite set can be written as a disjoint union 
of two infinite sets, so let yi be one such set. 

Let y = Ur=i y«- As in the proof of Lemma 1, we have 
hny = yi and hny" = yf. By construction of . . . , t/„ 
we conclude that (19) holds. ■ 

The algorithm a for BAPA°° is analogous to the al- 
gorithm for BAPA. In each step, the new algorithm 
maintains a formula of the form 

^^p'^p • • • (^r'^V' 

3 + Zl ...Iq. 3pi ...Pq. 

(AUi \si\ = li A (fHsi)^ Pi)) A Gr 

As in Section 5.4, the algorithm eliminates an integer 
quantifier 3k by letting Gr+i = 3k.Gr and eliminates an 
integer quantifier VA; by letting Gr+i — V/c.G^. Further- 
more, just as the algorithm in Section 5.4 uses Lemma 1 
to reduce a set quantifier to integer quantifiers, the new 
algorithm uses Lemma 8 for this purpose. The algo- 
rithm replaces 

3j/. 3 + Zl ...Iq. 3pi .. .Pq. 

(AJ=il«il A(fin(si)^P»)) A Gr 

with 

3 + Z'l...Zq/. 3p'i...p'q,. 

(Atil«^l = «iA(fin(sa^pO) A Gr+i 

for q' = q/2, and 

Gr+l = 3+Zl ...Zg. 3pi,...,Pq. 

( Aili (P2i-i A P2i ^I'i^ hi-i + hi) A 

(Pi<^(P2i-l Ap2i))) 

A Gr 

For the quantifier Vy the algorithm analogously gener- 
ates 

Gr+l = V+Zi . . . Z,. Vpi, . . . ,Pq. 

( Aili (P2i-i A p2i ^I'i^ hi-i + hi) A 

{Pi-^{P2i-l Ap2i))) 

^ Gr 

After eliminating all quantifiers, the algorithm ob- 
tains a formula of the form 3+Z.3p. \14\ = Z A 
(fin(W)<^^p) A Gp+i(Z,p). We define the result of the 
algorithm to be the PA sentence Gp+i (MAXC, FIND). 

This completes our description of the generalized al- 
gorithm a for BAPA°°. The complexity analysis from 
Section 6 also applies to the generalized version. We 
also note that our algorithm yields an equivalent for- 
mula over any family of models. A sentence is valid in 
a set of models iff it is valid on each model. There- 
fore, the validity of a BAPA°° sentence Fq is given by 
applying to the formula a{Fo){MAXC, FIND) a form of 
universal quantifier over all pairs (MAXC, FIND) that 
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determine the characteristics of the models in question. 
For example, for the validity over the models with in- 
finite universe we use a(Jo)(0, false), for validity over 
all finite models we use \fk.a(Fo){k, true), and for the 
validity over all models we use the PA formula 

a(Fo)(0, false) A VA:.a(Fo)(fc, true). 

We therefore have the following result, which answers a 
generalized version of the question left open in [57]. 

Theorem 9 The algorithm above effectively reduces 
the validity of BAPA°° sentences to the validity of Pres- 

hurger arithmetic formulas with the same number of 
quantifier alternations, and the increase in formula size 
exponential in the number of set variables; the reduction 
works for each of the following: 1 ) the set of all models, 
2) the set of models with infinite universe only, and 3) 
the set of all models with finite universe. 

8 Relationship with MSOL over Strings 

The monadic second-order logic (MSOL) over strings 
is a decidable logic that can encode Presburger arith- 
metic by encoding addition using one successor symbol 
and quantification over sets. This logic therefore simul- 
taneously supports sets and integers, so it is natural to 
examine its relationship with BAPA. It turns out that 
there are two important differences between MSOL over 
strings and BAPA: 

1. BAPA can express relationships of the form \A\ = 
k where ^ is a set variable and k is an integer 
variable; such relation is not definable in MSOL 

over strings. 

2. In MSOL over strings, the sets contain integers as 
elements, whereas in BAPA the sets contain unin- 
terpreted elements. 

Given these differences, a natural question is to con- 
sider the decidability of an extension of MSOL that al- 
lows stating relations |A| = A; where A is a set of inte- 
gers and k is an integer variable. Note that by saying 
3fc.|A| = kA\B\ = kwe can express \A\ = \B\, so we ob- 
tain MSOL with equicardinality constraints. However, 
extensions of MSOL over strings with equicardinality 
constraints are known to be undecidable; we review 
some reductions in Section 11.2. Undecidability results 
such as these are what perhaps led to the conjecture 
that BAPA itself is undecidable [57, Page 12]. In this 
paper we have shown that BAPA is, in fact, decidable 
and has an elementary decision procedure. Moreover, 
we next present a combination of BA with MSOL over 
n-successors that is still decidable. 



8.1 Decidability of MSOL with Cardinalities 

on Uninterpreted Sets 

Consider the multisorted language BAMSOL defined 
as follows. First, BAMSOL contains all relations of 
monadic second-order logic of n-successors, whose vari- 
ables range over strings over an n-ary alphabet and sets 
of such strings. Second, BAMSOL contains sets of un- 
interpreted elements and boolean algebra operations on 
them. Third, BAMSOL allows stating relationships of 
the form |a:| = A; where a; is a set of uninterpreted ele- 
ments and A: is a string representing a natural number. 
Because all PA operations are definable in MSOL of 1- 
successor, the algorithm a applies in this case as well. 
Indeed, the algorithm a only needs a "lower bound" 
on the expressive power of the theory of integers that 
BA is combined with: the ability to state constraints 
of the form l[ = l2i-\ + l2ii and quantification over in- 
tegers. Therefore, applying a to a BAMSOL formula 
results in an MSOL formula. This shows that BAMSOL 
is decidable and can be decided using a combination of 
algorithm a and tool such as [23]. By Lemma 4, the 
decision procedure for BAMSOL based on translation 
to MSOL has upper bound of exp„(0(n)) using a deci- 
sion procedure such as [23] based on tree automata [10]. 
The corresponding non-elementary lower bound follows 
from the lower bound on MSOL itself [48]. 

9 Related Work 

Presburger arithmetic. The original result on de- 
cidability of Presburger arithmetic is [37] (see [51, Page 
24] for review). This decision procedure was improved 
in [11] and subsequently in [36]. The best known bound 
on formula size is obtained using bounded model prop- 
erty techniques [16]. An analysis based on the num- 
ber of quantifier alternations is presented in [40]. [7] 
presents a proof-generating version of [11]. The omega 
test as a decision procedure for Presburger arithmetic 
is described in [39]. [38] describes how to compute the 
number of satisfying assignments to free variables in a 
Presburger arithmetic formula, and describes the appli- 
cations for computing those numbers for the purpose of 
program analysis and optimization. Some bounds on 
quantifier-elimination procedures for Presburger arith- 
metic are presented in [52]. Automata-theoretic [23, 5] 
and model checking approaches [19, 46] can also be used 
to decide Presburger arithmetic and its fragments. 
Boolean Algebras. The first results on decidability 
of Boolean algebras are from [47, 31, 50], [1, Chapter 
4] and use quantifier elimination, from which one can 
derive small model property; [24] gives the complexity 
of the satisfiability problem. [6] gives an overview of 
several fragments of set theory including theories with 
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quantifiers but no cardinality constraints and theories 
with cardinahty constraints but no quantification over 
sets. 

Combinations of Decidable Theories. The tech- 
niques for combining quantifier-free theories [35, 42] and 
their generahzations such as [55, 56] are of great im- 
portance for program verification. This paper shows 
a particular combination result for quantified formulas, 
which add additional expressive power in writing spec- 
ifications. Among the general rc^siilts for quantified for- 
mulas are the Feferman-Vaught theorem for products 
[15], and term powers [26, 27]. 

Our decidability result is closest to [57] which gives 
a solution for the combination of Presburger arithmetic 
with a notion of sets and quantification of elements, 
and conjectures that adding the quantification over sets 
leads to an undecidable theory. The results of this paper 
prove that the conjecture is false and give an elementary 
upper bound on the complexity of the combined theory. 
Analyses of Dynamic Data Structures. Our new 
decidability result enables verification tools to reason 
about sets and their sizes. This capability is partic- 
ularly important for analyses that handle dynamically 
allocated data structures where the number of objects 
is statically unbounded [29, 30, 28, 54, 53, 43, 44]. Re- 
cently, these approaches were extended to handle the 
combinations of the constraints representing data struc- 
ture contents and constraints representing numerical 
properties of data structures [43, 9]. Our result pro- 
vides a systematic mechanism for building precise and 
predictable versions of such analyses. 

10 Conclusion 

Motivated by static analysis and verification of rela- 
tions between data structure content and size, wo have 
introduced the first-order theory of Boolean algebras 
with Presburger arithmetic (BAPA), established its de- 
cidability, presented a decision procedure via reduction 
to Presburger arithmetic, and showed an elementary 
upper bound on the worst-case complexity. We expect 
that our decidability result will play a significant role in 
verification of programs [35, 13, 17, 32], especially for 
programs that manipulate dynamically changing sets of 
objects [29, 30, 28, 54, 53, 43, 44]. 
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F :■- .4 I Fi A I -Fi V Fa I I 3x.F \ \/x.F 

A :■- Ti = Ta I Ti < Ta I Cdvd T 

T C I Ti + Ta I Ti - Ta I C • T 

C ::= ...-2 I -1 I I 1 I 2... 

Figure 11: Formulas of Presburger Arithmetic PA 

11 Appendix 

11.1 Quantifier Elimination for PA 

For completeness, this section reviews a procedure for 

quantifier elimination in Presburger arithmetic. For ex- 
pository purposes we present a version of the quanti- 
fier elimination procedure that first transforms the for- 
mula into disjunctive normal form. The transforma- 
tion to disjunctive normal form can be avoided, as ob- 
served in [11, 36, 40]. However, our results in Section 5 
can be used with other variations of the quantifier- 
elimination for Presburger arithmetic, and can be for- 
mulated in such a way that they not only do not depend 
on the technique for quantifier elimination for Pres- 
burger arithmetic, but do not depend on the technique 
for deciding Presburger arithmetic at all, allowing the 
use of automata-theoretic [23] and model checking tech- 
niques [19]. 

Figure 11 presents the syntax of Presburger arith- 
metic formulas. We interpret formulas over the struc- 
ture of integers, with the standard interpretation of log- 
ical connectives, quantifiers, irreflexive total order on 
integers, addition, subtraction, and constants. Wc al- 
low multiplication by a constant only (the case C ■ T 
in Figure 11), which is expressible using addition and 
subtraction. If c is a constant and f is a term, the no- 
tation cdvdt denotes that c divides t i.e., t mod c — 0. 
We assume that c > in each formula cdvd t. 

We review a simple algorithm for deciding Pres- 
burger arithmetic inspired by [37], [51, Page 24], [11]. 
The algorithm we present eliminates an existential 
quantifier from a conjunction of literals in the language 
of Figure 11, which suSices by Section 4.1. Note first 
that we may eliminate all equalities ti = t2 because 

ti=t2 <S=^ {ti < ta + 1) V (ta < ti + 1) 

Next, we have -■(ti < t2) t2 <ti + 1 and 

c-l 

-i(cdvdt) <;=^ y cd\/dt+i 

i=l 

which means that it suffices to consider the elimina- 
tion of an existential quantifier from the formula of 
the form A where each A is an atomic formula 
of the form ti < t2 or of the form c dvd t. Each of 



the terms ti,t2,t is linear, so we can write it in the 
form Co + ^i-i CiXi. Consequently, wc may transform 
the atomic formulas into forms < Cq + J2i=i (^i^i ^^'^ 
cdvd Co -|- CiXi. Consider an elimination of an ex- 
istential quantifier 3x from a conjunction of such atomic 
formulas. Let ci,...,Cj, be the coefficients next to x 
in the conjuncts and let M > be the least common 
multiple of ci,...,Cj,. Multiply each atomic formula 
of the form < CiX + t hy M/\ci\, and multiply each 
atomic formula of the form c dvd c^a; -|- t by M/ Ci (yield- 
ing Mcdvd Mx + (M/ci)t). The result is an equivalent 
conjunction of formulas with the property that, in each 
conjunct, the coefficient next to a; is M or —M. The 
conjunction is therefore of the form Fo{Mx) for some 
formula Fq. The formula 3x.Fq{Mx) is equivalent to 
the formula 3y.{Fo{y) A Mdvdy). By moving x to the 
left-hand side if its coefficient is —1 in the term t of 
each atomic formula < t, replacing cdvd —y + 1 by 
cdvdy — t, and renaming y as x, it remains to elimi- 
nate an existential quantifier from 3x.F{x) where 

q p r 

F{x) = l^x < ai A l^hi < X A /\^Ci dvd x + ti 

i=l i — l i — l 

where x does not occur in any of a^, bi, ti. Let N be the 
least common multiple of Ci, . . . , c^. Clearly, if x = u 
is a solution of Fi{x) = dvd a; -I- ti, then so is 

x = u + Nk for every integer k. If p = and q = 
then 3y.F{y) is equivalent to e.g. Afc=i ^(*)> which 
eliminates the quantifier. Otherwise, suppose that p > 
(the case g > is analogous, and if p > and q > 
then both are applicable). Suppose for a moment 
that wc are given an assignment to free variables of 
3x.F{x). Then the formula 3x.F{x) is equivalent to 
Vu Pi {u) where u ranges over the elements u such that 

max(&i, . . . ,bp) < u < min(ai, . . . , aq) 

Let b = max(6i, . . . , bp). Then 3x.F{x) is equivalent to 
Vi^i F{b+i). Namely, if a solution exists, it must be of 
the form b + i for some i > 0, and it suffices to check N 
consecutive numbers as argued above. Of course, we do 
not know the assignment to free variables of 3x.F{x), so 
we do not know for which bi wc have b = bi. However, 
we can check all possibilities for bi. We therefore have 
that 3y.F{y) is equivalent to 

p N 

\J\jF{b,+i) 
j=i i=i 

This completes the sketch of the quantifier elimination 
for Presburger arithmetic. We obtain the following re- 
sult. 

Fact 4 For every first- order formula <j) in the language 
of Presburger arithmetic of Figure 11 there exists a 
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quantifier- free formula ip such that ip is a disjunction 11.3 O'Caml source code of algorithm a 
of conjunctions of literals, the free variables of ijj are a 
subset of the free variables of (f), and ^ is equivalent to 
(j) over the structure of integers. 

11.2 Undecidability of MSOL of Integer Sets 
with CctrdinEilities 

We first note that there is a reduction from the Post 
Correspondence Problem that shows the undecidabil- 
ity of MSOL with equicardinality constraints. Namely, 
we can represent binary strings by finite sets of natural 
numbers. In this encoding, given a position, MSOL it- 
self can easily express the local property that, at a given 
position, a string contains a given finite substring. The 
equicardinality gives the additional ability of finding an 
n-th element of an increasing sequence of elements. To 
encode a POP instance, it suiEccs to write a formula 
checking the existence of a string (represented as set A) 
and the existence of two increasing sequences of equal 
length (represented by sets U and D), such that for each 
i, there exists a pair {aj,bj) of PGP instance such that 
the position starting at Ui contains the constant string 
Uj, and Ui+i — Ui + \aj\, and similarly the position 
starting at Di contains bj and = Di + \bj\. 

The undecidability of MSOL over strings extended 
with equicardinality can also be shown by encoding mul- 
tiplication of natural numbers. Given A = {1,2, ...,x} 
and B = {1,2, we can define a set the set 

C = {x,2x, ...y ■ x} as the set with the same number 
of elements as B, that contains x, and that is closed 
under unary operation z i— s- z + y. Therefore, if we 
represent a natural number n as the set {1, . . . , n}, we 
can define both multiplication and addition of integers. 
This means that we can write formulas whose satisfia- 
bility answers the existence of solutions of Diophantine 
equations, which is undecidable by [33]. A similar re- 
duction to a logic that does not even have quantification 
over sets is presented in [57]. 
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